torrentclaw/torrentclaw-skill
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
torrentclaw-skill/.github/workflows/ci.yml
Deivid Soto d3d6c702ed fix(security): eliminate shell injection and add input validation 
Replace unsafe string interpolation in aria2 RPC JSON construction
with jq --arg for proper escaping. Add magnet URL format validation
to reject arbitrary input. Refactor detect-client.sh JSON output
to use jq. Add CI security check to prevent regression.

Resolves VirusTotal "Suspicious" classification caused by the
shell injection vulnerability in add-torrent.sh.
2026-02-15 10:47:10 +01:00

71 lines
2.1 KiB
YAML
Raw Blame History

name: CI
on:
pull_request:
branches: [main]
push:
branches: [main]
permissions:
contents: read
jobs:
lint-commits:
name: Lint commits
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Validate conventional commits
run: |
base="${{ github.event.pull_request.base.sha }}"
head="${{ github.event.pull_request.head.sha }}"
pattern='^(feat|fix|docs|style|refactor|perf|test|build|ci|chore|revert)(\(.+\))?(!)?: .{1,}$'
failed=0
while IFS= read -r msg; do
first_line=$(echo "$msg" | head -1)
if ! echo "$first_line" | grep -qE "$pattern"; then
echo "FAIL: $first_line"
failed=1
fi
done < <(git log --format="%s" "$base".."$head")
if [ "$failed" -eq 1 ]; then
echo ""
echo "Some commits do not follow Conventional Commits format."
echo "Expected: <type>[scope][!]: <description>"
echo "See: https://www.conventionalcommits.org/"
exit 1
fi
echo "All commits follow Conventional Commits format."
lint-scripts:
name: Lint shell scripts
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run ShellCheck
run: shellcheck scripts/*.sh
security-check:
name: Security patterns check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check for unsafe string interpolation in curl payloads
run: |
# Flag inline JSON in double quotes (allows shell interpolation).
# Safe patterns: curl -d '{}' (single quotes) or curl -d "$var" (pre-built payload).
if grep -rPn 'curl.*-d\s*"[{]' scripts/*.sh; then
echo ""
echo "ERROR: Found curl -d with inline JSON in double quotes."
echo "Use jq --arg to build JSON safely and pass via variable."
exit 1
fi
echo "No unsafe curl patterns found."
Reference in a new issue View git blame Copy permalink